1 |
Hi everyone, |
2 |
|
3 |
I've been doing some experimental work with PaX enabled kernels and I |
4 |
wanted to share it with the community at large for feedback. |
5 |
|
6 |
Motivation: There are two (soon three) ways of doing PaX markings so |
7 |
that a PaX enabled kernel knows what restrictions to put on the running |
8 |
process. These are: |
9 |
|
10 |
1) EI_PAX markings. This puts the pax flags in the ELF header in bytes |
11 |
14 and 15 of the e_ident[] field. This was a "hijacked" area and is now |
12 |
broken. [1] |
13 |
|
14 |
2) PT_PAX markings. This puts the flags in an ELF program header. On |
15 |
Gentoo systems, all binaries are compiled with a PT_PAX header ready to |
16 |
go because of a patch against binutils [2]. The problem is precompiled |
17 |
binaries which lack a PT_PAX header and cannot have one added without |
18 |
breaking. (eg. skype). |
19 |
|
20 |
3) XT_PAX markings. This is the new experimental way of doing the |
21 |
markings using xattrs for PaX markings. Currently, I'm using the name |
22 |
space "user.pax" so as to allow users to mark their own binaries, but |
23 |
this may change to "security.pax" depending on what direction upstream |
24 |
(ie pipacs) wants to go. The advantage here is that the ELF binary is |
25 |
not mangled in any way since the xattrs live in the inodes not the |
26 |
blocks. The disadvantage is that xattrs is not supported on all |
27 |
filesystems and in all our utilities we need for portage to work. I'm |
28 |
working to get xattrs supported where we need it. This will also help |
29 |
with supporting other features like ACL and CAPS. To this end: |
30 |
|
31 |
a) There is a patch against tar to support xattrs based on a Fedora's |
32 |
patch. [3] |
33 |
b) Kernels 3.0 and above support xattrs in tmpfs, squashfs and other |
34 |
filesystems. |
35 |
c) Python 3.3 and above support os.getxattr and os.setxattr and zmedico |
36 |
and Arfrever have patched portage to copy xattrs from ${D} to ${ROOT}. |
37 |
d) There's probably more .... feedback welcome! |
38 |
|
39 |
|
40 |
I've built two test systems, amd64 and x86, and so far so go. |
41 |
Prometheanfire tested too and help find some snags. If anyone is |
42 |
interested, I've got a HOWTO on converting any gentoo system to a *pure* |
43 |
XT_PAX hardened system [4], ie one with *no* EI_PAX or PT_PAX. This |
44 |
will not be the final situation where we will have backwards compat with |
45 |
PT_PAX but not EI_PAX. However, for testing it will force any issues |
46 |
with XT_PAX to the foreground. |
47 |
|
48 |
Since many of you know more about the internals of Gentoo than I, I |
49 |
would appreciate any suggestions regarding what I might be missing if we |
50 |
eventually migrate in this direction. |
51 |
|
52 |
|
53 |
References: |
54 |
|
55 |
[1] https://bugs.gentoo.org/show_bug.cgi?id=387459 |
56 |
|
57 |
[2] As of this writing, PT_PAX support is provided by patch |
58 |
63_all_binutils-2.21.1-pt-pax-flags-20110918.patch which can be |
59 |
obtained from the patch bundles found at |
60 |
http://dev.gentoo.org/~vapier/dist/ among other places. |
61 |
|
62 |
[3] https://bugs.gentoo.org/show_bug.cgi?id=382067 |
63 |
|
64 |
[4] |
65 |
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=HOWTO.txt;h=9edc600f0d81d5e77c6cd7e961a05b56f51b51ec;hb=f4d0da5dcaf12e4b9a70c1d2528becf649b1de61 |
66 |
|
67 |
-- |
68 |
Anthony G. Basile, Ph.D. |
69 |
Gentoo Linux Developer [Hardened] |
70 |
E-Mail : blueness@g.o |
71 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
72 |
GnuPG ID : D0455535 |